{"id":19205713,"url":"https://github.com/fairwindsops/bif","last_synced_at":"2025-09-04T03:42:44.680Z","repository":{"id":169796938,"uuid":"624092569","full_name":"FairwindsOps/bif","owner":"FairwindsOps","description":"Fairwinds Base Image Finder CLI","archived":false,"fork":false,"pushed_at":"2025-07-21T17:04:49.000Z","size":476,"stargazers_count":36,"open_issues_count":4,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-08-01T00:25:41.057Z","etag":null,"topics":["docker","fairwinds-incubator","security","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://fairwinds.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FairwindsOps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-04-05T18:20:19.000Z","updated_at":"2025-06-30T11:29:02.000Z","dependencies_parsed_at":null,"dependency_job_id":"2cd9d68b-7ce9-4273-ab74-45558d2d78f1","html_url":"https://github.com/FairwindsOps/bif","commit_stats":null,"previous_names":["fairwindsops/bif"],"tags_count":11,"template":false,"template_full_name":null,"purl":"pkg:github/FairwindsOps/bif","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fbif","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fbif/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fbif/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fbif/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FairwindsOps","download_url":"https://codeload.github.com/FairwindsOps/bif/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FairwindsOps%2Fbif/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273548790,"owners_count":25125255,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","fairwinds-incubator","security","vulnerabilities"],"created_at":"2024-11-09T13:13:42.265Z","updated_at":"2025-09-04T03:42:44.628Z","avatar_url":"https://github.com/FairwindsOps.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\" class=\"no-border\"\u003e\n    \u003cimg src=\"/img/bif-logo.svg\" height=\"150\" alt=\"Base Image Finder\" style=\"padding-bottom: 20px\"\u003e\n    \u003cbr\u003e\n    \u003cbr\u003e\n    \u003ca href=\"https://github.com/FairwindsOps/bif/releases\"\u003e\n        \u003cimg src=\"https://img.shields.io/github/v/release/FairwindsOps/bif\"\u003e\n    \u003c/a\u003e\n    \u003ca href=\"https://bif.docs.fairwinds.com\"\u003e\n        \u003cimg src=\"https://img.shields.io/badge/-docuementation-green\"\u003e\n    \u003c/a\u003e\n    \u003ca href=\"https://join.slack.com/t/fairwindscommunity/shared_invite/zt-e3c6vj4l-3lIH6dvKqzWII5fSSFDi1g\"\u003e\n      \u003cimg src=\"https://img.shields.io/static/v1?label=Slack\u0026message=Join+our+Community\u0026color=4a154b\u0026logo=slack\"\u003e\n    \u003c/a\u003e\n\u003c/div\u003e\n\n# BIF - The Fairwinds Base Image Finder Client\n\nThis utility interacts with the Fairwinds BIF-Server to find base images and report on their vulnerabilities.\n\n## What and Why is it?\n\nWhen using a container scanning tool to identify known vulnerabilities (CVEs, or common vulnerabilities and exposures), it can be difficult to understand _where_ the vulnerabilities exist in the container, and how to mitigate them. Often, the simplest and most efficient mitigation is to update the \"base image\" - or the image used in the `FROM` statement in your container definition.\n\nBIF allows you to understand the impact of updating the base image of your container will have:\n  * First, it can detect what base image the container is using, even though it doesn't have access to the Dockerfile.\n  * Second, it will show you what vulnerabilities are present in that base image.\n  * Lastly, it will show you what versions of that base image don't have that vulnerability.\n\n## Installation\n\nDownload the latest binary from the [releases page](https://github.com/FairwindsOps/bif/releases/latest)\n\n## Usage\n\n### Request a Token\n\nFirst, you must request an API token to use with the base image finder. You can do this via the cli:\n\n```\nbif request-token\n# Follow the prompt to enter your email address\n```\n\nYou will receive your token via email. To automatically have BIF use this token, export it as `INSIGHTS_OSS_TOKEN` in your environment.\n\n### Extract Layers Using Skopeo and Find Base Image\n\n```\nbif find --image-layers $(skopeo inspect docker://us-docker.pkg.dev/fairwinds-ops/oss/polaris:7.0.0 | jq .Layers[] -rc)\n\nInput:  [sha256:2408cc74d12b6cd092bb8b516ba7d5e290f485d3eb9672efc00f0583730179e8]\n\n   BASE IMAGE   | LAST SCAN  |      CVE       | SEVERITY | CVSS |    FIXED IN\n----------------+------------+----------------+----------+------+-----------------\n  alpine:3.16.0 | 2023-02-28 | CVE-2022-2097  | MEDIUM   | 5.30 | 3.17.3, 3.16.5\n                |            | CVE-2022-30065 | HIGH     | 7.80 | 3.17.3, 3.16.5\n                |            | CVE-2022-37434 | CRITICAL | 9.80 | 3.17.3, 3.16.5\n                |            | CVE-2022-4304  | MEDIUM   | 5.90 | 3.17.3, 3.16.5\n                |            | CVE-2022-4450  | HIGH     | 7.50 | 3.17.3, 3.16.5\n                |            | CVE-2023-0215  | HIGH     | 7.50 | 3.17.3, 3.16.5\n                |            | CVE-2023-0286  | HIGH     | 7.40 | 3.17.3, 3.16.5\n```\n\n### Use BIF with a publicly-available image\n```\nbif find --image us-docker.pkg.dev/fairwinds-ops/oss/polaris:7.0.0\n\nInput: us-docker.pkg.dev/fairwinds-ops/oss/polaris 7.0.0\n\n   BASE IMAGE   | LAST SCAN  |      CVE       | SEVERITY | CVSS |    FIXED IN\n----------------+------------+----------------+----------+------+-----------------\n  alpine:3.16.0 | 2023-02-28 | CVE-2022-2097  | MEDIUM   | 5.30 | 3.17.3, 3.16.5\n                |            | CVE-2022-30065 | HIGH     | 7.80 | 3.17.3, 3.16.5\n                |            | CVE-2022-37434 | CRITICAL | 9.80 | 3.17.3, 3.16.5\n                |            | CVE-2022-4304  | MEDIUM   | 5.90 | 3.17.3, 3.16.5\n                |            | CVE-2022-4450  | HIGH     | 7.50 | 3.17.3, 3.16.5\n                |            | CVE-2023-0215  | HIGH     | 7.50 | 3.17.3, 3.16.5\n                |            | CVE-2023-0286  | HIGH     | 7.40 | 3.17.3, 3.16.5\n```\n\n## Troubleshooting\n\nIf you run into issues, you can try adding debug logging with the `--debug` flag. If you have further issues, please reach out in the community slack or file a github issue.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffairwindsops%2Fbif","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffairwindsops%2Fbif","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffairwindsops%2Fbif/lists"}